In fact, high-profile breaches by such nefarious actors are all too real. In just the last few months, the US Office of Personnel Management, the Government Printing Office, and the Government Accountability Office were breached by Chinese hackers, and records of background checks performed by US Investigations Services, a government contractor, were compromised in what looks like a state-sponsored attack.

State of urgency The scope of the threats is massive and mutating; the US Director of National Intelligence has ranked cybercrime as a top national security threat. Given limited budgets and resources, prioritizing efforts and focusing on essential measures is paramount. In light of the multiple types and sources of attacks, cyber security teams are in a constant state of urgency. All of this can lead to a lack of focus. Panic-driven reactions, unclear compliance mandates, and lack of funding and expertise get in the way of effective cyber security implementation. High-visibility breaches prompt those responsible to make a big show of "fixing" the security lapses by investing in the "latest and greatest" technologies in an effort to provide reassurance to partners and clients.

This is rarely an effective response and isn't a prudent use of resources. Instead, there should be a return to basics, a common-sense approach that will effectively mitigate risks at a lower cost.

First, secure the core Government agencies need to focus on the core of their infrastructure where the critical data actually reside. The top priority should be implementing stringent controls around access, user management, systems configuration, and data encryption. I believe that analysts often give insufficient guidance based on their bias for new and more "interesting" technology. It should be emphasized that inline network technologies are distinct from fundamental security controls, which should always come first.

The core infrastructure should be prioritized over the network boundary; if the core is weak, critical assets are at risk, no matter how much money and time has been invested in fortifying the perimeter. In fact, Verizon's most recent Data Breach Investigative Report indicated that 90% of the cyber attacks surveyed could have been prevented if simple security controls had been implemented. PricewaterhouseCoopers' 2014 US State of Cybercrime survey similarly found that fewer than half the organizations surveyed took necessary precautions.

Focus on data security The PwC survey noted that among government services, unauthorized access to information, systems, or networks was reported by 24% of respondents. This alarming statistic, in conjunction with the recent breaches of sensitive info, highlights an urgent need for stronger data protections. Initiatives aimed at securing the core should also focus on system configuration, user management, and continuous monitoring of all of these factors. In the universe of cyber criminals, personal data is as prized and hoarded as money. Critical data (intellectual property, personnel and financial records, sensitive communications, etc.) being collected and stored must be properly handled and encrypted. It is important to note that data residing on outside contractors' systems are particularly vulnerable and should be included in security mandates.

Systems configuration is at the heart of security Likewise, it is imperative to ensure that any system that touches critical data is properly configured and aligned -- on an ongoing basis -- with the appropriate set of security controls. The continuous monitoring requirements are straightforward. Security controls include monitoring event data (log and activity data) and state data (configuration and vulnerability state). These essential controls examine system settings to ensure they are aligned with best practices as defined by DISA, NIST, SANS, etc. Monitoring systems (including network devices, data storage, and applications) continuously on a near real-time basis enables organizations to detect weak links in their core infrastructure where critical data resides. Implementations should include mechanisms to measure controls against standards, find the deviations, and take remedial action to correct them.

Finally, after taking steps to secure and continuously monitor the data and systems at the core of your computing infrastructure, it is then appropriate to address the network layer, implementing antivirus and antimalware, intrusion prevention, firewall, and other technologies that help protect the network and keep the bad guys out.

Propagate a security culture The human component of security should never be overlooked; user access privileges must be consistently and continuously managed, supported by clear policy and enforcement. Building cyber security into the organizational culture and mission is crucial. Everyone who touches critical data or connects to your network -- from executives to entry-level personnel, contractors to supply chain vendors -- must be under a mandate to practice and monitor proper user behavior. Thoroughly educating all users about the potential consequences (to the individual and the organization) of careless online behavior is an affordable and effective front-line defense strategy.

The recent and ongoing pile-up of government agency breaches shines a floodlight on the frightening vulnerability of online storage and networks. As governments increasingly conduct their operations in the cyber realm, building strong defenses at the heart of critical data and communications systems has become an urgent matter of national security. Hunker down and focus on the basics, continuously monitor and remediate, and train all the good guys to be cybersecurity guards.

Vijay Basani is CEO and President of EiQ Networks. He is a serial entrepreneur with a track record of building successful businesses delivering enterprise-class solutions. Before starting EiQ Networks, he founded AppIQ, an application storage resource management provider ... View Full Bio

You are correct - the weakest link is usually the user community, and is also the most difficult challenge to overcome. The key is to engineer their behavior through awareness training, and transform the organization's culture to include secure practices. Security awareness training is such a difficult task because there are so many different personalities involved. However, measurable training effectiveness can be achieved by delivering a message that becomes personal to the individual, so relating secure practices at work to their personal activities definitely helps. When you think about it, secure practices at work are really not much different from secure practices in one's personal life. When I deliver awareness training, I start with its implications on personal activities - online banking, shopping, social media, etc. That gets their attention all the time, and always results in lively discussion. Then I introduce corporate secure practices and demonstrate how those are not very different from the same ones I advocate they use in their personal activities. I think this method allows for better retention and effectiveness. Having said that, organizations should definitely have strong user controls in place, and should anticipate that users will attempt to circumvent them. When coupled with effective awareness training, the combination goes a long way towards the goal of transforming the organization's culture to include secure practices.

While I absolutely agree that one of the critical areas of security comes down to ensuring that everyone who has access to corporate resources understands their role in security, sadly this is still going to be the weak point of most organizations' perimeter defence. Let's face it, employees are tired of hearing about security and are looking for ways to get around basic security controls so that they have, what they feel, is a balance of convenience and access. The sad fact is that unless strong user controls are in place to dictate how data can be used and stored, and even ensuring that all the devices used to access the data (laptop, mobile, tablet) have the right security controls is still a huge gap for many organizations.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."